Another post from

http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0189.html

 

“We have a Windows2003 box which is currently issuing certificates with an

Authority Key Identifier extension with a KeyID only (i.e. KeyID=ed 2a 47 a4

e9 09 5a ec 9e 51 1a 81 04 58 78 87 61 3f 94 fc).

 

How do we add the IsserName and IssuerSerial number to the AKI field?

 

Note: the certutil "-setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL"

and

"certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERNAME" fail to add

these fields to the issued certificates. “

 

ANSWER:

For a Windows 2003 CA you also need to set the following:

 

certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERNAME

certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERSERIAL

 

The first  one  (certutil -setreg ca\CRLEditFlags)  will enable the CA to generate the extension with these fields populated.

The second  one  (certutil "-setreg policy\EditFlags) will tell the policy module to leave the fields in the extension

 

 

 

Spat

 

PS:

  • My posts seem to vary in text size.... one day Ill figure this out.
  • My URL links dont show up as links when viewed from the main blogs.msdn.com page - I noticed some folks do show up right.. one day Ill figure this out too.
  • It would be really cool if I could search within blogs.msdn.com  -- say I only wanted hits from within these blogs.